“Confidential information in the organization needs to be kept safe,” I told an engaged audience at the recent Cyber in Business conference 2017 in Melbourne. “So when thinking about securing the perimeter, it’s about securing the data and personal data as well.”

The session included a live demonstration of how a hacker might go about gathering data about an employee of a target organization – showing just how easy it is to win the trust of users by email, get them to click on the attachment of a convincingly worded email, and execute an attachment that would infiltrate the company network and give hackers direct access to all of that company’s data.

‘Sure’, you say. ‘My users would never fall for that’.

Every company wants to believe its users would never knowingly fall for the tricks they receive in malicious emails – but breaches are still happening every day. And it’s understandable: although many malicious email campaigns are still run as ‘spray-and-pray’ exercises – often hastily assembled emails, with poor spelling and little personalization that are sent to massive numbers of recipients – online criminals have also become better at hiding their intentions in highly detailed, convincing ‘low and slow’ messages.

Spray and pray attacks typically emulate the billing emails sent by large and well-known utility companies, banks, or government agencies with which most recipients are likely to have some dealings. By including convincing designs and real logos, then lacing those emails with URLs that point to malware-ridden websites, attackers can install their malicious code if even one user follows the instructions in the mail.